Talos Vulnerability Report

TALOS-2015-0054

Network Time Protocol Trusted Keys Memory Corruption Vulnerability

Oct 21, 2015
Description

An exploitable use-after-free vulnerability exists in the password management functionality of the Network Time Protocol. A specially crafted key file could cause a buffer overflow resulting in memory corruption. An attacker could provide a malicious password file to trigger this vulnerability.

Tested Versions

ntp 4.2.8p2

Product URLs

http://www.ntp.org

Details

The function authdelkeys() will free all the keys that are used for user authentication. In the case of normal keys, they will also be removed from the list of keys. However in the case of trusted keys, the memory holding the keys will be freed but the pointer to that memory location will not be set to NULL.

This is the code at line 598 in authkeys.c:

	if (KEY_TRUSTED & sk->flags) {
		if (sk->secret != NULL) {
			memset(sk->secret, '\0', sk->secretsize);
			free(sk->secret);
		}
		sk->secretsize = 0;
		sk->lifetime = 0;
	} else {

Since the key is still in the linked list it will simply be copied to at line 541 in authkeys.c:

    for (sk = *bucket; sk != NULL; sk = sk->hlink) {
        if (keyno == sk->keyid) {
            sk->type = (u_short)keytype;
            secretsize = len;
            sk->secretsize = (u_short)secretsize;
#ifndef DISABLE_BUG1243_FIX
            memcpy(sk->secret, key, secretsize);

Reuse of a previous buffer can lead to inconsistencies in authentication tokens or memory corruption.

Credit

Discovered by Yves Younan of Cisco Talos.